A data-logging software company tried to quash an Android developer's critical …

Carrer IQ apologized yesterday in a statement (PDF) and backed down from its legal threats. "As, of today, we are withdrawing our cease and desist letter to Mr. Trevor Eckhart. We have reached out to Mr. Eckhart and the Electronic Frontier Foundation (EFF) to apologize. Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart. We sincerely appreciate and respect EFF’s work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world."

Original story:

A data-logging software company is seeking to squash an Android developer’s critical research into its software that is secretly installed on millions of phones, but Trevor Eckhart is refusing to publicly apologize for his research and remove the company’s training manuals from his website.

Though the software is installed on millions of Android, BlackBerry, and Nokia phones, Carrier IQ was virtually unknown until the 25-year-old Eckhart analyzed its workings, recently revealing that the software secretly chronicles a user’s phone experience, from its apps, battery life and texts. Some carriers prevent users who actually find the software from controlling what information is sent.

Eckhart called the software a “rootkit,” a security term that refers to software installed at a low-level on a device, without a user’s consent or knowledge in order to secretly intercept the device’s workings. Malware such as keyloggers and trojans are two examples.

He also mirrored the Mountain View, Calif. company’s training manuals he’d found on Carrier IQ’s publicly available website. The manuals provide a limited roadmap for how Carrier IQ works, Eckhart said in a telephone interview.

When Carrier IQ discovered Eckhart’s recent research and his posting of those manuals, Carrier IQ sent him a cease-and-desist notice, saying Eckhart was in breach of copyright law and could face damages of as much as $150,000, the maximum allowed under US copyright law per violation. The company removed the manuals from its own website, as well.

On Monday, the Electronic Frontier Foundation announced it had came to the assistance of the 25-year-old Eckhart of Connecticut, whom Carrier IQ claims has breached copyright law for reposting the manuals.

“I’m mirroring the stuff so other people are able to read this and verify my research,” he said. “I’m just a little guy. I’m not doing anything malicious.”

The company is demanding Eckhart retract (.pdf) his “rootkit” characterization of the software, which is employed by most major carriers, Eckhart said.

The EFF says Eckhart’s posting of the files is protected by fair use under the Copyright Act for criticism, commentary, news reporting and research, and that all of Carrier IQ’s claims and demands are “baseless.” (.pdf)

Andrew Coward, Carrier IQ’s marketing manager, said in a telephone interview Tuesday that the company, not Eckhart, should be in “control” of the manuals.

“Whatever content we distribute we want to be in control of that,” he said. “I think obviously, any company wants to be responsible for the information that gets distributed.”

He said “legal matters” prohibited the six-year-old company from discussing the Eckhart flap further.

CarrierIQ describes what it does

He said the company’s wares are for “gathering information off the handset to understand the mobile-user experience, where phone calls are dropped, where signal quality is poor, why applications crash and battery life.”

“We’re not looking at texts. We’re counting things. How many texts did you send and how many failed. That’s the level of metrics that are being gathered,” he said.

He answered “probably yes” when asked whether the company could read the text messages if it wanted.

Marcia Hofmann, an EFF senior staff attorney, said the civil rights group has concluded that “Carrier IQ’s real goal is to suppress Eckhart’s research and prevent others from verifying his findings.”

In a Monday letter to Carrier IQ, Hofmann said Eckhart’s speech was protected by the First Amendment.

What’s more, the company is demanding that Eckhart inform Carrier IQ of the names of all persons to which Eckhart has forwarded the training material. The company also wants Eckhart to send “written retractions” to everybody who has viewed his research in hard copy or on the Web.

Among other things, Carrier IQ insists that Eckhart retract his “root kit” characterization of the unremovable software, and other statements, by issuing a press release to The Associated Press.

A type of Trojan that keeps itself, other files, registry keys and network connections hidden from detection. It enables an attacker to have “root” access to the computer, which means it runs at the lowest level of the machine. A rootkit typically intercepts common API calls. For example, it can intercept requests to a file manager such as Explorer and cause it to keep certain files hidden from display, even reporting false file counts and sizes to the user. Rootkits came from the Unix world and started out as a set of altered utilities such as the ls command, which is used to list file names in the directory (folder)

Legitimate Rootkits?

Rootkits can also be used for what some vendors consider valid purposes. For example, if digital rights management (DRM) software is installed and kept hidden, it can control the use of licensed, copyrighted material and also prevent the user from removing the hidden enforcement program. However, such usage is no more welcomed than a rootkit that does damage or allows spyware to thrive without detection.

In 2005, Sony came under fire for installing a rootkit on music CDs. Security expert Bruce Schneier wrote then that “The Sony code modifies Windows so you can’t tell it’s there, a process called ‘cloaking’ in the hacker world. It acts as spyware, surreptitiously sending information about you to Sony. And it can’t be removed; trying to get rid of it damages Windows.”

In a letter to Eckhart, Carrier IQ said, “If you do not comply with these cease and desist demands within this time period, please be advised the Carrier IQ, Inc. will pursue all available legal remedies, including seeking monetary damages, injunctive relief, and an order that you pay court costs and attorney’s fees.”

The deadline expired Nov. 18, but so far Carrier IQ has not made good on its threats.

they're doing what they think is in the best interest of the company. If people aren't aware of the software, they're less likely to actively avoid it. People are very concerned with mobile phone privacy issues, and rightly so, and we don't know what carrierIQ does.

It may very well be that they're doing some things we'd feel violates our privacy. Or perhaps they want to keep all of their options open, some of which would certainly close if people were made aware of what they were all about, which phones it was on, etc.

While it makes legal sense for them to use these tactics if the tactics have a high probability of working, I think it's too late. The cat is out of the bag and they shouldn't try to be so heavy-handed. Couldn't they just bribe this kid?

The iOS issue both was done on purpose and without end users knowing.The difference is that iOS has acknowledged there mistake and fixed it, while this company refuses to acknowledge the issues behind there software.

Also Apple is the same company that made the iOS software, so it is expected that they could be keeping track of some things. It's different when a third party keeps track of such things.

I'm not really sure what the issue here is. Obviously carriers need to monitor a lot of this type of data to provide the services they do, and if they're the ones installing and using it on their own devices, covered by TOSes, I have a hard time calling it a "rootkit". Seems like by that standard many legitimate parts of OSes would be "rootkits". If they wrote the code themselves instead of outsourced it to a third party business partner who specializes in it, would that be different?

The carriers can already read your messages if they want, and they obviously have to do things like know and track where you are to be able to connect your phone to a cell tower... but somehow AT&T is more trustworthy than a contracted third party? Meh, idk, seems overblown to me.

As important as this story is, it's so badly written that I couldn't finish it.

I imagine Ars has no control over this since it comes from Wired, but someone at Wired should be embarrassed for running it without proper editing. If it's not worth their time to edit it, then it's not worth my time to read it.

Lies! the consumer benefits from Andorids openness! This is the reason why I use an iPhone. I hate the carriers and dont want them "improving" the OS on the phone with addins.

Well, that's nice that you like not being able to do much other than what Apple wants you to. I've already found some ways of finding this if it's on my Android phone and can go through and remove it if I so desire. Sure, Apple isn't going to come out and say this is what they are doing, but if they are, how can you tell/do anything about it?

A friend of mine was talking to a Google Maps dev at the Google Conference in Berlin and was surprised how open the guy was about Google tracking all movement of people carrying Android phones in order to do "interesting stuff with Google Maps", like making maps of interesting locations that people with Android phones often go do, tracking traffic paths, etc.

The Google Maps developer also said that asking users permission to send location data would be "too complicated for the users", so they’re collecting it without saying.

Now, I have no way of checking whether that is true or not—but if it is, it wouldn’t surprise me at all.

I'm not really sure what the issue here is. Obviously carriers need to monitor a lot of this type of data to provide the services they do, and if they're the ones installing and using it on their own devices, covered by TOSes, I have a hard time calling it a "rootkit". Seems like by that standard many legitimate parts of OSes would be "rootkits". If they wrote the code themselves instead of outsourced it to a third party business partner who specializes in it, would that be different?

The carriers can already read your messages if they want, and they obviously have to do things like know and track where you are to be able to connect your phone to a cell tower... but somehow AT&T is more trustworthy than a contracted third party? Meh, idk, seems overblown to me.

Actually, yes, AT&T is more trustworthy, because if they break their end of the bargain, they're violating a contract. Nobody signed a contract with CarrierIQ. Though, it's probably in the carrier legalese somewhere - the fact remains that nobody willingly opened their phones to a third party who "may" be able to read all your stuff. Relying on a company's goodwill is a bad way to prevent abuse, as we all know.

Seems to me the company's reaction is much more damaging to themselves that what Mr. Eckhart has done. They should have just said, "well, yeah, duh, that's what our software does, no big deal, nothing to see, move along." If anyone were to keep making a stink, they could try to work out some sort of "we'll add opt-out measures" or something while keeping it as low-key as possible.

While I won't argue the oft cited point that the openness is mostly for handset vendors and carriers, that it is open is immaterial to this issue as such openness allows shitty carriers to force this crap on your device, and it also allows the creation of things like Cyanogenmod.

Openness is a double edged sword. Suggesting that it's bad because unscrupulous companies abuse it is ridiculous.

I'm not really sure what the issue here is. Obviously carriers need to monitor a lot of this type of data to provide the services they do, and if they're the ones installing and using it on their own devices, covered by TOSes, I have a hard time calling it a "rootkit". Seems like by that standard many legitimate parts of OSes would be "rootkits". If they wrote the code themselves instead of outsourced it to a third party business partner who specializes in it, would that be different?

The carriers can already read your messages if they want, and they obviously have to do things like know and track where you are to be able to connect your phone to a cell tower... but somehow AT&T is more trustworthy than a contracted third party? Meh, idk, seems overblown to me.

I own my phone outright. I don't expect any software to be there that I haven't personally installed. Period. This is no different than my ISP claiming to need to install software on my PC so that the can provide me optimal service. BS and, BTW, illegal--because it is my computer and it is my phone.

TheFLPAs important as this story is, it's so badly written that I couldn't finish it.

I imagine Ars has no control over this since it comes from Wired, but someone at Wired should be embarrassed for running it without proper editing. If it's not worth their time to edit it, then it's not worth my time to read it.

They are changing the name of the magazine soon from Wired to Baked to better reflect their over-all orientation to tech journalism.

Quote:"IQ Insight Experience Manager uses data directly from the mobile phone itself to give a precise view of how users interact with both their phones and the services delivered through them, even if the phone is not communicating with the network." So this company is able to supply carriers (or whomever pays for their services) with information on your data usage of the device even if you are connected, say to your home wireless network.

Quote:"IQ Insight Experience Manager takes customer experience proiling to another level, enabling you to view experience data at any level of granularity from the entire population, to comparative groups, down to individual users, all at the touch of a button.""Down to individual users": if that doesn't raise an eyebrow in the most jaded of user, then I don't know what will.

Quote:"View application and device feature usage, such as camera, music, messaging, browser and TV."Even if you are not querying/retrieving any data, this nifty little piece of software (don't call it rootkit, it makes them angry) will monitor anything you do with your phone.

And that's why people that care about their privacy(as much as there could be privacy in the digital age) should at the very least consider abandoning the stock ROM in favour of CM7 or its brethren as soon as they get their hands on the device. Then again,most don't give a flying frak as evidenced by the runaway popularity of Twitter and Facebook...

A friend of mine was talking to a Google Maps dev at the Google Conference in Berlin and was surprised how open the guy was about Google tracking all movement of people carrying Android phones in order to do "interesting stuff with Google Maps", like making maps of interesting locations that people with Android phones often go do, tracking traffic paths, etc.

The Google Maps developer also said that asking users permission to send location data would be "too complicated for the users", so they’re collecting it without saying.

Um, what? That's why when you turn on any location identifying option in Android it specifically tells you that it will collect location based data, and you have to click on 'Agree'.

He answered “probably yes” when asked whether the company could read the text messages if it wanted.

Probably?

Either they can or they cannot read text messages using their software. If this guy doesn't understand that this is an extremely sensitive topic for most people and is incapable of providing an honest answer, then he deserves whatever befalls his company in the aftermath of this.

Also Apple is the same company that made the iOS software, so it is expected that they could be keeping track of some things. It's different when a third party keeps track of such things.

Well, it depends on what is being done with the information collected. Does Carrier IQ just pass the information on the ATT and Verizon? If so, then it's basically like the carriers out sourced the development of critical software to Carrier IQ. If Carrier IQ is allowed to do whatever they like with the data collected, it's a more serious matter.

Also, how is the software installed? If it comes with the phone, then shouldn't we be mad at the wireless companies?

No one actually "owns" their mobile phone, or the software installed on it. Look carefully at any of the licensing agreement you may or may not be knowingly agreeing to. I guarantee that 99% of them contain language that explains how you are merely purchasing a license to use the device or software within the terms set forth by the manufacturer or mobile carrier. This is why most manufacturers and carriers are against jailbreaking, or physically modifying phones. They simply don't want you to screw around with their code, device, or network. Considering that the mobile airspace is regulated by governments, you can bet the carriers will do whatever it takes to keep every device in line.

I believe there was some discussion during the early life of the iPhone that modified or jailbroken phones were causing congestion on AT&T's network. I'm sure this has been proven untrue many times; regardless, AT&T & Apple continue to use it as an excuse to to lock down the iPhone.

Now, if this particular application is tracking the location of the user, without a valid warrant, then that may be illegal soon enough. (It sounds like they are, because they track call records.) We can only cross our fingers and hope the corrupted tards on the Supreme Court will rule in favor of both John Q Public and logic, once this issue inevitably makes it there.

Is this only on Androids or is it on Windows phones and even feature phones?

The only saving grace is that the amount of data that this system would accumulate would be so incredible that they couldn't possibly aggregate it except for individuals they target.

Unless Nokia and Blackberry started making Android devices while I was making my coffee,this probably affects BB's OS and Symbian(Though I wouldn't be surprised Nokia's W7 phones could have this in their bowels to) - - - Though the software is installed on millions of Android, BlackBerry, and Nokia phones - - - The beginning of the second paragraph

Lies! the consumer benefits from Andorids openness! This is the reason why I use an iPhone. I hate the carriers and dont want them "improving" the OS on the phone with addins.

Well, that's nice that you like not being able to do much other than what Apple wants you to. I've already found some ways of finding this if it's on my Android phone and can go through and remove it if I so desire. Sure, Apple isn't going to come out and say this is what they are doing, but if they are, how can you tell/do anything about it?

Um, same as you. Root the phone. Why is it that Android advocates seem to think this is only an option on Android?

No one actually "owns" their mobile phone, or the software installed on it. Look carefully at any of the licensing agreement you may or may not be knowingly agreeing to. I guarantee that 99% of them contain language that explains how you are merely purchasing a license to use the device or software within the terms set forth by the manufacturer or mobile carrier. This is why most manufacturers and carriers are against jailbreaking, or physically modifying phones. They simply don't want you to screw around with their code, device, or network. Considering that the mobile airspace is regulated by governments, you can bet the carriers will do whatever it takes to keep every device in line.

I believe there was some discussion during the early life of the iPhone that modified or jailbroken phones were causing congestion on AT&T's network. I'm sure this has been proven untrue many times; regardless, AT&T & Apple continue to use it as an excuse to to lock down the iPhone.

Now, if this particular application is tracking the location of the user, without a valid warrant, then that may be illegal soon enough. (It sounds like they are, because they track call records.) We can only cross our fingers and hope the corrupted tards on the Supreme Court will rule in favor of both John Q Public and logic, once this issue inevitably makes it there.

Congress has already had hearings on this. Wouldn't be surprised if a law isn't passed in the next couple years to make this illegal. Imagine if someone hacked Carrier IQ and could find all their correspondence with lobbyists or their sexual affairs. They don't want to be monitored any more than the rest of us.

Is this only on Androids or is it on Windows phones and even feature phones?

The only saving grace is that the amount of data that this system would accumulate would be so incredible that they couldn't possibly aggregate it except for individuals they target.

Unless Nokia and Blackberry started making Android devices while I was making my coffee,this probably affects BB's OS and Symbian(Though I wouldn't be surprised Nokia's W7 phones could have this in their bowels to) - - - Though the software is installed on millions of Android, BlackBerry, and Nokia phones - - - The beginning of the second paragraph

I was a bit loose with my wording. i was more concerned with feature phones. I have a Sony Ericsson Equinox (feature phone) and wasn't sure if I should be worried about this.

No one actually "owns" their mobile phone, or the software installed on it.

Actually lots of people outside the US own their phones, and some inside do as well. You're basically right though that you have to agree to TOS when you use a network, and if the TOS include a requirement that you install this software for monitoring purposes then you're out of luck.

It would be interesting to know if such unsubsidized, unlocked phones have this installed as well though.

A friend of mine was talking to a Google Maps dev at the Google Conference in Berlin and was surprised how open the guy was about Google tracking all movement of people carrying Android phones in order to do "interesting stuff with Google Maps", like making maps of interesting locations that people with Android phones often go do, tracking traffic paths, etc.

The Google Maps developer also said that asking users permission to send location data would be "too complicated for the users", so they’re collecting it without saying.

Um, what? That's why when you turn on any location identifying option in Android it specifically tells you that it will collect location based data, and you have to click on 'Agree'.

He wasn’t talking about applications collecting that data, but the system. Like I said, though, no way to verify, but the Google engineer was apparently very certain of collecting that data being "cool" and how asking the users permission would be confusing to the poor souls. That together with the whole show on Saturday made my friend leave by 2 or 3 pm, as he felt quite dissapointed at how Microsoft-y Google apparently is.

information on your data usage of the device even if you are connected, say to your home wireless network.

Far be it from me to take this one snippet out of context but, I think someone is begging for a lawsuit. If I find that my device(s) have CarrierIQ on it you can be sure that I like many others are going to throw as hard a legal battle as I can afford at that company and Verizon on top of that. On my phone, using Verizon services I am somewhat beholden to Verizon policies(of which I consented), however tracking any data over my home network is an out and out violation of my privacy. I don't want money from these people, but if it will help stop them and their contemporaries from this kind of practice, I won't complain about taking it.

Is this only on Androids or is it on Windows phones and even feature phones?

The only saving grace is that the amount of data that this system would accumulate would be so incredible that they couldn't possibly aggregate it except for individuals they target.

Unless Nokia and Blackberry started making Android devices while I was making my coffee,this probably affects BB's OS and Symbian(Though I wouldn't be surprised Nokia's W7 phones could have this in their bowels to) - - - Though the software is installed on millions of Android, BlackBerry, and Nokia phones - - - The beginning of the second paragraph

I was a bit loose with my wording. i was more concerned with feature phones. I have a Sony Ericsson Equinox (feature phone) and wasn't sure if I should be worried about this.

My apologies,but today of all days my industrial-strength coffee decided not to wake me fast enough I sincerely doubt they've got feature-phones running this rootkit,as both they are less of a target market these days(sorry),but also because it might be harder to gather,store and transmit data without the knowledge of the user.... HOWEVER,I wouldn't be surprised there's a solution to circumvent that (Maybe even as part of the basic firmware itself)